How Google is Fixing a Fatal Security Flaw

Google is making the best security feature, two-step verification, a little bit easier to use. This week, the company announced that it’s switching out the annoying (and hackable) six-digit code with a simple “yes” or “no” button. This is a great move.

The update could be a huge win for everyone’s security. The easier it is to use two-step verification, the more likely people are to set it up, which means fewer people will be hacked. The update rolls out this week for Android and iOS, although iOS users will have to download the Google app in order to take advantage of the new feature. Once you’ve done that, head over to the Google account page and set it up under your security settings.

And you really should set it up, if you care about protecting your accounts online. Enabling two-step verification is one of the easiest things you can do to beef up your own security. It can be a pain when you’re logging into various accounts, but the benefits greatly outweigh the drawbacks. Furthermore, Google’s update makes two-step verification less of a pain.

Even if a malicious hacker has your username and password, they can often be thwarted by two-step verification. We recommend using it on your bank account, Facebook account, Twitter account, and just about any other account you can think of. There’s even a handy tool for seeing which internet services offer it.

But two-step verification isn’t foolproof. In scenarios where you receive a text with a verification code on your phone (which is often the default setting), a hellbent hacker could socially engineer your carrier to forward text messages to their phone by calling the customer service and pretending to be you. At this point, your security is only as good as the customer service agent working for your service provider. So after the hacker has tricked some poor customer service rep, they can log in with your username and password, probably stolen from some leaked database, and then get you two-step verification code sent to their phone and boom, they’re in.

This is a rare occurrence, but it’s happened to major public figures. For example, Black Lives Matter activist DeRay McKesson had his Twitter account stolen this month because a hacker used a similar method to gain access to his account.

By calling @verizon and successfully changing my phone's SIM, the hacker bypassed two-factor verification which I have on all accounts.

Right now, the best solution to this is in-app verification like Google’s new approach. Instead of getting a text message sent to your phone, you can just fire up an app, tap a button or grab a code provided, and you’re good to go. Google, Facebook, and Twitter are all notable services that offer in-app verification, and now that Google is making it easy as hell to use, let’s hope more people start setting it up. [Google]